commit 91e5492d4c210f82f1ca6b43a73417fef5463368
Author: Robert Müller <robert.mueller@uni-siegen.de>
Date:   Sat Jan 15 17:36:39 2022 +0100

    hotfix CVE-2021-43518

diff --git src/game/client/components/maplayers.cpp src/game/client/components/maplayers.cpp
index 24d09509..bbaaa821 100644
--- src/game/client/components/maplayers.cpp
+++ src/game/client/components/maplayers.cpp
@@ -175,7 +175,7 @@ void CMapLayers::LoadEnvPoints(const CLayers *pLayers, array<CEnvPoint>& lEnvPoi
 				p.m_Time = pEnvPoint_v1->m_Time;
 				p.m_Curvetype = pEnvPoint_v1->m_Curvetype;
 
-				for(int c = 0; c < pItem->m_Channels; c++)
+				for(int c = 0; c < std::min(pItem->m_Channels, 4); c++)
 				{
 					p.m_aValues[c] = pEnvPoint_v1->m_aValues[c];
 					p.m_aInTangentdx[c] = 0;
diff --git src/game/editor/io.cpp src/game/editor/io.cpp
index 160bb1c6..2bedb06e 100644
--- src/game/editor/io.cpp
+++ src/game/editor/io.cpp
@@ -479,7 +479,8 @@ int CEditorMap::Load(class IStorage *pStorage, const char *pFileName, int Storag
 			for(int e = 0; e < Num; e++)
 			{
 				CMapItemEnvelope *pItem = (CMapItemEnvelope *)DataFile.GetItem(Start+e, 0, 0);
-				CEnvelope *pEnv = new CEnvelope(pItem->m_Channels);
+				const int Channels = std::min(pItem->m_Channels, 4);
+				CEnvelope *pEnv = new CEnvelope(Channels);
 				pEnv->m_lPoints.set_size(pItem->m_NumPoints);
 				for(int n = 0; n < pItem->m_NumPoints; n++)
 				{
@@ -496,7 +497,7 @@ int CEditorMap::Load(class IStorage *pStorage, const char *pFileName, int Storag
 						pEnv->m_lPoints[n].m_Time = pEnvPoint_v1->m_Time;
 						pEnv->m_lPoints[n].m_Curvetype = pEnvPoint_v1->m_Curvetype;
 
-						for(int c = 0; c < pItem->m_Channels; c++)
+						for(int c = 0; c < Channels; c++)
 						{
 							pEnv->m_lPoints[n].m_aValues[c] = pEnvPoint_v1->m_aValues[c];
 						}